The web security flaw is that you need to do it yourself, and then do some basic analysis.
Let me start with an analysis of the SQL injection risk.
Bug:testfire site has SQL injection risk
Bug title: Testfire website > login page > Login box has SQL injection attack problem.
1, SQL injection attacks: The attacker to insert SQL commands into the Web form of the Input field or page request query string, spoofing the server to execute malicious SQL commands.
SQL injection is accessed from the normal WWW port, and the surface looks no different from the general Web page access, so the current firewall does not alert SQL injection.
2. The common SQL injection attack process is categorized as follows:
(1), a asp.net Web application has a login page, this login page controls whether the user has access rights application, it requires the user to enter a name and password;
(2), the content entered in the login page will directly construct the dynamic SQL command, or directly as the parameters of the stored procedure;
(3) The attacker enters the user name and password input box (e.g. "' or
' 1 ' = ' 1 ');
(4), after the user entered the content submitted to the server, the server runs the ASP.net code to construct the query user's SQL command, but because the attacker entered the content is very special, so the resulting SQL command becomes
SELECT * from Users WHERE login = ' or ' 1 ' = ' 1 ' and password =
' or ' 1 ' = ' 1 ';
(5), the server executes the query or store the command process, compares the identity information entered by the user with the identity information stored in the server.
(6), because the SQL command has actually been injected attack modification, has not really
Authenticate the user, so the system will incorrectly authorize the attacker.
The harm of SQL injection success is that if the user's account has an administrator or other more advanced permissions, the attacker may perform the desired action on the database table, including deleting, adding, modifying or updating data, and possibly even deleting the table.
3, how to prevent SQL injection attacks.
Just filter all the input before you use the contents of the form to construct the SQL name order.
The filtration mode is 6.
(1), for dynamic construction of SQL queries, you can use the following methods
a|, replace single quotes, that is, change all occurrences of single quotes into two quotes to prevent an attacker from modifying the meaning of the SQL command.
Example:
SELECT * from Users WHERE login = ' or ' 1 ' = ' 1 ' and password =
' or ' 1 ' = ' 1 ';
SELECT * from Users WHERE login = ' "or" 1 "= ' 1" and password =
' 1 ' = ' 1 ';
B, delete all the hyphens in the user's input to prevent the attacker from constructing a query with the following classes:
SELECT * from the Users WHERE login = ' man '-and password = '
Since the second half of this command has been commented out, it is not valid, as long as the attacker knows a legitimate user login name and does not need to know the password to be able to successfully live the permissions.
C, for the database account used for querying, restrict its permissions.
(2), using stored procedures for all queries.
(3), limit the length of a form or query string.
(4), check the legality of user name input. Data checking should be done on both the client and server side, and the reason to check on the server side is to make up for the vulnerable security of client authentication. The main reason for the customer order validation is that the attacker gets the source code for the Web page, then modifies the validation script, and then submits the illegal content to the server through the modified form.
(5), the user login name, password and other data encryption to save. Encrypt the data entered by the user. He then compares the data saved with the database to prevent an attacker from injecting SQL commands.
(6) Check the records returned by the query that extracts the data. If the program only asks to return a record and the result returns more than one row, it is treated as an error.
4, SQL injection type common type
(1), no correct filter escape characters
(2) Vulnerabilities in the database server
(3), blind SQL injection type attack
(4), conditional response
(5), conditional error
(6), Time delay
This is some sort of rough classification. New attacks are now used to speed up the exploitation of vulnerabilities by using a variety of tools.